wiredepth
Run a check

Spoofability verdict for notion.so

Maybe - notion.so is partially protected.

See the math

Notion.so sits in an awkward middle ground: it's making an effort to authenticate, but that effort has critical gaps that leave its domain partially exposed to impersonation.

  • DMARC at p=quarantine; pct=100: Notion enforces quarantine on all DMARC-aligned mail, which is the right call—it pushes suspicious messages to spam rather than silently accepting them. This is the strongest piece of their setup.
  • SPF with ~all (softfail): SPF is set to softfail, not hardfail. This means an attacker can still send from notion.so with a softfail result, and many mail systems will accept or deliver those messages anyway. Softfail is a weak placeholder.
  • DKIM absent (0 of 22 selectors found): No DKIM signing is in place. Even if SPF and DMARC are tuned, absence of DKIM means there's no signature check to prove the message wasn't tampered with in transit—a significant missed layer.
  • MTA-STS missing: No MTA-STS policy published. This doesn't directly enable spoofing, but it leaves the door open for mail downgrade attacks and man-in-the-middle interception in transit.

What this means practically

An attacker can send mail from notion.so addresses and pass SPF (softfail is permissive), then rely on the mail server not honouring DMARC quarantine. In practice, major providers like Gmail and Outlook will quarantine many of these, but less aggressive mail systems may still deliver. The absence of DKIM means even if SPF passes, there's nothing stopping an attacker from modifying the message body in flight. Targeted spear-phishing against Notion's own users or partners is realistic here.

Bottom line: Notion has taken a half-step toward email authentication: the quarantine policy is good, but softfail SPF and missing DKIM defeat the point—upgrade to -all SPF and add DKIM signing to close the gap.

What we measured

Partial

DMARC policy

p=quarantine

inspect →

DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 ~all

Open

DKIM presence

no key found at common selectors

inspect →

No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
  2. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  3. Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
  4. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain